Social Security numbers and passwords

[Willis H. Ware <willis () jake rand org>]

Ohringer () DOCKMASTER NCSC MIL asks about the use of some or all of
one's SSN as part of a scheme to assign computer passwords.  The
scheme is not described in enough detail to really answer his
questions, but some comments are possible.  It might be an innocuous
or a dumb idea depending upon details of the usage.

1.  First, if the last 4-digits are supposed to uniquely point to a
password, it follows that at most 10,000 employees can be handled.
Worse, though, there is a reasonable probability that there will be
duplication among the 4-digit tails of some random collection of
employees.  Unless the 4-digits were combined with something else, the
mapping into passwords might not be unique.

If duplication must be avoided, then the company must be prepared to
assign alternate numbers, so why not base the scheme entirely on a
company's own employee-number scheme?

2. Why use the SSN? Probable answer: the company already has SSNs in
the personnel-records database.  It is too lazy or indifferent or
foolish to make up some unique anonymous numbering system for itself.

3.
> > .. Is this an acceptable use of (part of) social
> > security numbers?

Depends upon personal opinion only. I think it unwise, if not dumb,
especially for what would appear to be a very minor advantage that
could be gained.  There is no law that says you cannot do this unless
your state happens to have one.  Even then the law will almost
certainly refer to "the SSN" and not concern itself with usage of a
part of the number.

> > ..................  What precedents exist for allowing or
> > prohibiting such use?  What precedent is set by this proposed use?

There are no legal prohibitions against use of the SSN within the
private sector for record-keeping purposes.  We all know that in spades.
There are a few legal requirements which mandate the use of SSN; e.g.,
financial transactions which involve tax consequences.  If the company
that is considering this is a Fortune 500 and if the scheme became public
knowledge, there might be a small temptation for others to follow. If the
company in question is a small family business in rural Maryland, there
is probably no precedent of importance.

I point out that if the actual 4 digits of the SSN were traceable
through or derivable from the password and if the password becomes
compromised [i.e., known to a 3rd party], then 4/9 of the SSN is
revealed.  It might not be too difficult to construct the rest of the
9 digits.  The format of the SSN is known, the significance of the
various digits combinations is well known, and employment or family
history might be enough to deduce the others.  But then some people
don't consider an SSN to be a sensitive data element; a lot of others
do however.

> > I look forward to reading how readers would react if they faced such a
> > proposal.

Lauren would properly decline to print my explicit views of a
management that is seemingly so careless, so casual, so indifferent,
so unwise, so foolish, so unbelievably ill informed and so
unimaginative as to propose the use of the SSN for a trivial purpose
with seemingly so little payoff, or for that matter to propose its use
for any purpose other than for which it is legally required.

For a good history and review of the SSN usage, see the report of the
Privacy Protection Study Commission, chapter on SSN.

                                                Willis H. Ware
                                                Santa Monica, CA

------------------------------